Fortinet Mitigates Critical FortiCloud SSO Zero-Day Before Patch
▼ Summary
– Fortinet confirmed a new critical authentication bypass vulnerability (CVE-2026-24858) in FortiCloud SSO that was actively exploited to gain administrative access to customer devices.
– The flaw allowed attackers to compromise fully patched FortiOS, FortiManager, and FortiAnalyzer devices by abusing FortiCloud SSO, creating new local admin accounts.
– Fortinet mitigated the attacks by disabling the abused accounts and then globally blocking FortiCloud SSO logins from devices running vulnerable firmware.
– While only FortiCloud SSO exploitation was observed, Fortinet warned the underlying issue applies to all SAML-based SSO implementations.
– Patches are still in development, and Fortinet advises customers who detect signs of compromise to treat devices as fully breached and restore from clean backups.
A critical security flaw in Fortinet’s FortiCloud single sign-on (SSO) service was actively exploited before a patch was available, allowing attackers to bypass authentication and gain administrative control over customer devices. The vulnerability, officially tracked as CVE-2026-24858, was mitigated by Fortinet through server-side changes that block SSO connections from systems running vulnerable firmware. This incident highlights the persistent threat to network security appliances and the importance of robust access controls.
The issue came to light after customers reported compromised FortiGate firewalls on January 21st. Attackers were observed creating new local administrator accounts through the FortiCloud SSO mechanism, even on devices that had the latest firmware installed. Initially, security teams suspected a bypass for a previously patched flaw, CVE-2025-59718, which was addressed in December 2025. However, further investigation revealed a distinct and previously unknown attack path.
Cybersecurity firm Arctic Wolf confirmed the attacks on January 22nd, describing them as automated. The malicious activity involved creating rogue administrator and VPN-enabled accounts and exfiltrating firewall configurations within mere seconds. The speed and method closely mirrored the earlier campaign that exploited CVE-2025-59718.
Fortinet’s Chief Information Security Officer, Carl Windsor, officially confirmed the new attack vector on January 23rd. The company noted that the exploitation had been observed even on fully patched systems, confirming the existence of an alternate authentication path that remained viable. While the active attacks specifically targeted FortiCloud SSO, Fortinet issued a crucial warning: the underlying issue is applicable to all SAML-based SSO implementations.
In response, Fortinet took a series of escalating actions to contain the threat. On January 22nd, the company disabled specific FortiCloud accounts that were being abused by the attackers. By January 26th, Fortinet had disabled FortiCloud SSO globally on its servers to prevent further abuse. Access was restored the following day but with critical restrictions; devices running vulnerable firmware versions were blocked from authenticating via SSO. This server-side change effectively neutralizes the threat for now, meaning administrators do not need to take immediate client-side action until official patches are released.
The formal advisory, published on January 27th, rates the vulnerability as critical with a CVSS score of 9.4. It is categorized as an “Authentication Bypass Using an Alternate Path or Channel,” stemming from improper access control. An attacker with a FortiCloud account and a registered device could potentially authenticate to other customers’ devices if FortiCloud SSO was enabled. Notably, this feature is not enabled by default but can activate automatically when a device is registered with FortiCare unless manually disabled afterward.
Fortinet identified two malicious FortiCloud SSO accounts used in the attacks: cloud-noc@mail.io and cloud-init@mail.io. These accounts were locked out on January 22nd. Once a device was breached, attackers would download customer configuration files and create new local admin accounts with names like `audit`, `backupadmin`, or `system`. Connections were traced to a series of IP addresses, including `104.28.244.115` and `104.28.212.114`.
Patches for affected products, including FortiOS, FortiManager, and FortiAnalyzer, are currently in development. In the interim, because the server-side block is in place, administrators are not required to disable FortiCloud SSO to prevent exploitation of this specific flaw. However, given the potential for similar abuse in other SAML SSO setups, Fortinet suggests administrators may still want to disable the feature using the command: `config system global set admin-forticloud-sso-login disable`.
The company is still investigating whether FortiWeb and FortiSwitch Manager are also affected. Fortinet strongly advises that any customer detecting the listed indicators of compromise in their logs should assume their devices are fully compromised. Recommended response actions include a thorough review of all administrator accounts, restoration of configurations from known-clean backups, and the rotation of all credentials.
(Source: Bleeping Computer)
